Merge pull request #1000 from micahflee/989_noscript_xss_is_all_good

Strip NoScript XSS warning

onionshare/web/web.py

@@ -164,15 +164,6 @@ class Web(object):
                 return ""
             abort(404)
 
-        @self.app.route("/noscript-xss-instructions")
-        def noscript_xss_instructions():
-            """
-            Display instructions for disabling Tor Browser's NoScript XSS setting
-            """
-            r = make_response(render_template('receive_noscript_xss.html',
-                static_url_path=self.static_url_path))
-            return self.add_security_headers(r)
-
     def error401(self):
         auth = request.authorization
         if auth:

share/static/css/style.css

@@ -222,20 +222,3 @@ li.info {
   color: #666666;
   margin: 0 0 20px 0;
 }
-
-div#noscript {
-  text-align: center;
-  color: #d709df;
-  padding: 1em;
-  line-height: 150%;
-  margin: 0 auto;
-}
-
-div#noscript a, div#noscript a:visited {
-  color: #d709df;
-}
-
-.disable-noscript-xss-wrapper {
-  max-width: 900px;
-  margin: 0 auto;
-}

share/static/js/receive-noscript.js

@@ -1,2 +0,0 @@
-// Hide the noscript div, because our javascript is executing
-document.getElementById('noscript').style.display = 'none';

share/templates/receive.html

@@ -13,19 +13,6 @@
     </header>
 
     <div class="upload-wrapper">
-      <!--
-      We are not using a <noscript> tag because it only works when the security slider is set to
-      Safest, not Safer: https://trac.torproject.org/projects/tor/ticket/29506
-      -->
-      <div id="noscript">
-        <p>
-          <img src="{{ static_url_path }}/img/warning.png" title="Warning" /><strong>Warning:</strong> Due to a bug in Tor Browser and Firefox, uploads
-          sometimes never finish. To upload reliably, either set your Tor Browser
-          <a rel="noreferrer" target="_blank" href="https://tb-manual.torproject.org/en-US/security-slider/">security slider</a>
-          to Standard or
-          <a target="_blank" href="/noscript-xss-instructions">turn off your Tor Browser's NoScript XSS setting</a>.</p>
-      </div>
-
       <p><img class="logo" src="{{ static_url_path }}/img/logo_large.png" title="OnionShare"></p>
 
       <p class="upload-header">Send Files</p>
@@ -51,7 +38,6 @@
       </form>
 
     </div>
-    <script src="{{ static_url_path }}/js/receive-noscript.js"></script>
     <script src="{{ static_url_path }}/js/jquery-3.4.0.min.js"></script>
     <script async src="{{ static_url_path }}/js/receive.js"></script>
   </body>

share/templates/receive_noscript_xss.html

@@ -1,35 +0,0 @@
-<!DOCTYPE html>
-<html>
- <head>
-    <title>OnionShare</title>
-    <link href="{{ static_url_path }}/img/favicon.ico" rel="icon" type="image/x-icon">
-    <link rel="stylesheet" rel="subresource" type="text/css" href="{{ static_url_path }}/css/style.css" media="all">
-  </head>
-  <body>
-
-    <header class="clearfix">
-        <img class="logo" src="{{ static_url_path }}/img/logo.png" title="OnionShare">
-        <h1>OnionShare</h1>
-    </header>
-
-    <div class="disable-noscript-xss-wrapper">
-      <h3>Disable your Tor Browser's NoScript XSS setting</h3>
-
-      <p>If your security slider is set to Safest, JavaScript is disabled so XSS vulnerabilities won't affect you,
-      which makes it safe to disable NoScript's XSS protections.</p>
-
-      <p>Here is how to disable this setting:</p>
-
-      <ol>
-        <li>Click the menu icon in the top-right of Tor Browser and open "Add-ons"</li>
-        <li>Next to the NoScript add-on, click the "Preferences" button</li>
-        <li>Switch to the "Advanced" tab</li>
-        <li>Uncheck "Sanitize cross-site suspicious requests"</li>
-      </ol>
-
-      <p>If you'd like to learn technical details about this issue, check
-        <a rel="noreferrer" href="https://github.com/micahflee/onionshare/issues/899">this issue</a>
-        on GitHub.</p>
-    </div>
-  </body>
-</html>